{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- define "chainloop.postgresql.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
{{- end -}}

{{- define "chainloop.vault.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "vault" "chartValues" .Values.vault "context" $) -}}
{{- end -}}

{{/*
Returns a private key used for CAS <-> Controlplane communication
If we are running ind development mode we add a default one otherwise we require providing it
*/}}
{{- define "chainloop.casjwt.private_key" -}}
  {{- if .Values.development }}
    {{- coalesce .Values.casJWTPrivateKey (include "chainloop.casjwt.private_key.devel" .) }}
  {{- else }}
  {{- required "Authentication Private Key \"casJWTPrivateKey\" required" .Values.casJWTPrivateKey }}
  {{- end }}
{{- end }}

{{/*
Returns a public key used for CAS <-> Controlplane communication
If we are running ind development mode we add a default one otherwise we require providing it
*/}}
{{- define "chainloop.casjwt.public_key" -}}
  {{- if .Values.development }}
    {{- coalesce .Values.casJWTPublicKey (include "chainloop.casjwt.public_key.devel" .) }}
  {{- else }}
  {{- required "Authentication Public Key \"casJWTPublicKey\" required" .Values.casJWTPublicKey }}
  {{- end }}
{{- end }}

{{/*
DEVELOPMENT ONLY PRIVATE KEY
NOTE: It can not be generated by HELM because we also need a public key
*/}}
{{- define "chainloop.casjwt.private_key.devel" -}}
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIA762MbJK9IBnaqG0sd9uFRM+Z7Y+Aq5UfmbWf0+acKMYpYoy/8kBE
tI6cpcA2KvmW5qurOjIMh5ISr+P2GmzSZX+gBwYFK4EEACOhgYkDgYYABAFzPMcM
NUnPoC7b+s+/OyxRC7V/+elthj6Cq85WCj0KZ2qDvmd4QsYnsTIQ7NM7E+9WztdP
rJBaMdfauMarLlc7/AAHqoa0lv7HNIa0PpupZD4VXmnIe/ZkhHvKOuw0Bdoq2D2B
3U25sylQQto3nZ4IqnsXmrtYGIFI9om3PoliT9/J7g==
-----END EC PRIVATE KEY-----
{{- end -}}

{{/*
DEVELOPMENT ONLY PUBLIC KEY
*/}}
{{- define "chainloop.casjwt.public_key.devel" -}}
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBczzHDDVJz6Au2/rPvzssUQu1f/np
bYY+gqvOVgo9Cmdqg75neELGJ7EyEOzTOxPvVs7XT6yQWjHX2rjGqy5XO/wAB6qG
tJb+xzSGtD6bqWQ+FV5pyHv2ZIR7yjrsNAXaKtg9gd1NubMpUELaN52eCKp7F5q7
WBiBSPaJtz6JYk/fye4=
-----END PUBLIC KEY-----
{{- end -}}

{{- define "chainloop.credentials_service_settings" -}}
{{- with .Values.secretsBackend }}
secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
{{- if eq .backend "vault" }}
{{- $tokenEnvVar := "" }}
{{- range $.Values.vault.server.extraEnvVars }}
  {{- if eq .name "VAULT_DEV_ROOT_TOKEN_ID" }}
    {{- $tokenEnvVar = .value }}
  {{- end }}
{{- end }}
vault:
  {{- if and $.Values.development (or (not .vault) (not .vault.address)) }}
  address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }}
  {{- if $tokenEnvVar }}
  token: {{ $tokenEnvVar | quote }}
  {{- else }}
  {{- required "VAULT_DEV_ROOT_TOKEN_ID environment variable is required when development mode is enabled" (index $.Values.vault.server.extraEnvVars "VAULT_DEV_ROOT_TOKEN_ID") }}
  {{- end }}
{{- else if (required "vault backend selected but configuration not provided" .vault ) }}
  address: {{ required "vault address required" .vault.address | quote }}
  token: {{ required "vault token required" .vault.token | quote }}
{{- end }}

{{- else if eq .backend "awsSecretManager" }}
awsSecretManager:
  region: {{ required "region required" .awsSecretManager.region | quote }}
  creds:
    accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }}
    secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }}

{{- else if eq .backend "gcpSecretManager" }}
gcpSecretManager:
  projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
  serviceAccountKey: "/gcp-secrets/serviceAccountKey.json"
  {{- if eq .gcpSecretManager.serviceAccountKey "" }}
  {{- fail ".Values.secretsBackend.gcpSecretManager.serviceAccountKey not set" }}
  {{- end }}
{{- else if eq .backend "azureKeyVault" }}
azure_key_vault:
  tenant_id: {{ required "AD tenantID required" .azureKeyVault.tenantID | quote }}
  client_id: {{ required "Service principal ID required" .azureKeyVault.clientID | quote }}
  client_secret: {{ required "Service principal secret required" .azureKeyVault.clientSecret | quote }}
  vault_uri: {{ required "Azure Vault URL required" .azureKeyVault.vaultURI | quote }}
{{- end }}
{{- end }}
{{- end -}}

{{- define "chainloop.node_port" -}}
{{- if (and (or (eq .type "NodePort") (eq .type "LoadBalancer")) .nodePorts (not (empty .nodePorts.http))) }}
{{- .nodePorts.http }}
{{- else -}}
null
{{- end -}}
{{- end -}}

{{/*
##############################################################################
Controlplane helpers
##############################################################################
*/}}

{{- define "chainloop.controlplane.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.image "global" .Values.global) }}
{{- end -}}

{{/*
Chainloop Controlplane release name
*/}}
{{- define "chainloop.controlplane.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "controlplane" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Chainloop Controlplane Chart fullname
*/}}
{{- define "chainloop.controlplane.name" -}}
{{- printf "%s-%s" (include "common.names.name" .) "controlplane" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Common labels
*/}}
{{- define "chainloop.controlplane.labels" -}}
{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }}
app.kubernetes.io/component: controlplane
{{- end }}

-{{/*
-Selector labels
-*/}}
{{- define "chainloop.controlplane.selectorLabels" -}}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }}
{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }}
app.kubernetes.io/component: controlplane
{{- end }}

{{- define "chainloop.controlplane.migration.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.migration.image "global" .Values.global) }}
{{- end -}}

{{/*
Migration labels
*/}}
{{- define "chainloop.controlplane.migration.labels" -}}
{{- include "common.labels.standard" . }}
app.kubernetes.io/component: controlplane-migration
{{- end }}


{{/*
OIDC settings, will fallback to development settings if needed
*/}}
{{- define "controlplane.oidc_settings" -}}
  {{- if .Values.development }}
    {{- with .Values.controlplane.auth }}
    domain: "{{ coalesce .oidc.url ( printf "http://%s:%d/dex" ( include  "chainloop.dex" $ ) ( int $.Values.dex.service.ports.http ) ) }}"
    client_id: "{{ coalesce .oidc.clientID "chainloop-dev" }}"
    client_secret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}"
    {{- if .oidc.loginURLOverride }}
    login_url_override: "{{ .oidc.loginURLOverride }}"
    {{- end }}
    {{- end }}
  {{- else }}
    {{- with .Values.controlplane.auth }}
    domain: "{{ required "oidc URL endpoint required" .oidc.url }}"
    client_id: "{{ required "oidc clientID required" .oidc.clientID }}"
    client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}"
    {{- if .oidc.loginURLOverride }}
    login_url_override: "{{ .oidc.loginURLOverride }}"
    {{- end }}
    {{- end }}
  {{- end }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "controlplane.serviceAccountName" -}}
{{- if .Values.controlplane.serviceAccount.create }}
{{- default (include "chainloop.controlplane.fullname" .) .Values.controlplane.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.controlplane.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Return the Postgresql connection string
*/}}
{{- define "controlplane.database.connection_string" -}}
{{- printf "postgresql://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }}
{{- end -}}

{{/*
Return the Postgresql connection string for Atlas migration
*/}}
{{- define "controlplane.database.atlas_connection_string" -}}
{{- $connStr := printf "postgres://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }}
{{- .Values.controlplane.migration.ssl | ternary $connStr (printf "%s?sslmode=disable" $connStr) }}
{{- end -}}

{{/*
Return the Postgresql hostname
*/}}
{{- define "controlplane.database.host" -}}
{{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}}
{{- end -}}

{{/*
Return the Postgresql port
*/}}
{{- define "controlplane.database.port" -}}
{{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}}
{{- end -}}

{{/*
Return the Postgresql password
*/}}
{{- define "controlplane.database.password" -}}
{{- if .Values.postgresql.enabled }}
    {{- if .Values.global.postgresql }}
        {{- if .Values.global.postgresql.auth }}
            {{- coalesce .Values.global.postgresql.auth.password .Values.postgresql.auth.password -}}
        {{- else -}}
            {{- .Values.postgresql.auth.password -}}
        {{- end -}}
    {{- else -}}
        {{- .Values.postgresql.auth.password -}}
    {{- end -}}
{{- else -}}
    {{- .Values.controlplane.externalDatabase.password -}}
{{- end -}}
{{- end -}}


{{/*
Return the URL-scaped Postgresql password 
*/}}
{{ define "controlplane.database.escapedPassword" -}}
  {{- include "controlplane.database.password" . | urlquery | replace "+" "%20" -}}
{{- end -}}

{{/*
Return the Postgresql database name
*/}}
{{- define "controlplane.database.name" -}}
{{- if .Values.postgresql.enabled }}
    {{- if .Values.global.postgresql }}
        {{- if .Values.global.postgresql.auth }}
            {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}}
        {{- else -}}
            {{- .Values.postgresql.auth.database -}}
        {{- end -}}
    {{- else -}}
        {{- .Values.postgresql.auth.database -}}
    {{- end -}}
{{- else -}}
    {{- .Values.controlplane.externalDatabase.database -}}
{{- end -}}
{{- end -}}

{{/*
Return the Postgresql user
*/}}
{{- define "controlplane.database.user" -}}
{{- if .Values.postgresql.enabled }}
    {{- if .Values.global.postgresql }}
        {{- if .Values.global.postgresql.auth }}
            {{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}}
        {{- else -}}
            {{- .Values.postgresql.auth.username -}}
        {{- end -}}
    {{- else -}}
        {{- .Values.postgresql.auth.username -}}
    {{- end -}}
{{- else -}}
    {{- .Values.controlplane.externalDatabase.user -}}
{{- end -}}
{{- end -}}

{{/*
Figure out the external URL the controlplane can be reached at
This endpoint is used for the CLI to know where to go for log in
NOTE: Load balancer service type is not supported
*/}}
{{- define "chainloop.controlplane.external_url" -}}
{{- $service := .Values.controlplane.service }}
{{- $ingress := .Values.controlplane.ingress }}

{{- if .Values.controlplane.auth.oidc.externalURL }}
{{- .Values.controlplane.auth.oidc.externalURL }}
{{- else if (and $ingress $ingress.enabled $ingress.hostname) }}
{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }}
{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }}
{{- printf "http://localhost:%s" $service.nodePorts.http }}
{{- else -}}
null
{{- end -}}
{{- end -}}

{{/*
Figure out the gRPC URL the controlplane can be reached at
*/}}
{{- define "chainloop.controlplane.grpc_url" -}}
{{- $service := .Values.controlplane.serviceAPI }}
{{- $ingress := .Values.controlplane.ingress }}

{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
{{- printf "api.%s" $ingress.hostname }}
{{- else if (not (empty $service.ports.https)) }}
{{- printf "localhost:%d" ($service.ports.https | int) }}
{{- else  }}
{{- printf "localhost:%d" ($service.ports.http | int) }}
{{- end -}}
{{- end -}}

{{- define "chainloop.sentry" -}}
observability:
  sentry:
    dsn: {{ required "Sentry DSN required" .dsn | quote }}
    environment: {{ required "Sentry environment required" .environment | quote }}
{{- end -}}

{{/*
##############################################################################
CAS Helpers
##############################################################################
*/}}

{{- define "chainloop.cas.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.cas.image "global" .Values.global) }}
{{- end -}}

{{/*
Chainloop CAS release name
*/}}
{{- define "chainloop.cas.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "cas" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Chainloop CAS Chart fullname
*/}}
{{- define "chainloop.cas.name" -}}
{{- printf "%s-%s" (include "common.names.name" .) "cas" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*

Common labels
*/}}
{{- define "chainloop.cas.labels" -}}
{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }}
app.kubernetes.io/component: cas
{{- end }}

-{{/*
-Selector labels
-*/}}
{{- define "chainloop.cas.selectorLabels" -}}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }}
{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }}
app.kubernetes.io/component: cas
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "chainloop.cas.serviceAccountName" -}}
{{- if .Values.cas.serviceAccount.create }}
{{- default (include "chainloop.cas.fullname" .) .Values.cas.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.cas.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
External URL the CAS can be reached at
This endpoint is used for the cas to redirect downloads
NOTE: Load balancer service type is not supported
*/}}
{{- define "chainloop.cas.external_url" -}}
{{- $service := .Values.cas.service }}
{{- $ingress := .Values.cas.ingress }}

{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }}
{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }}
{{- printf "http://localhost:%s" $service.nodePorts.http }}
{{- end -}}
{{- end -}}

{{/*
Figure out the gRPC URL the cas can be reached at
*/}}
{{- define "chainloop.cas.grpc_url" -}}
{{- $service := .Values.cas.serviceAPI }}
{{- $ingress := .Values.cas.ingress }}

{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
{{- printf "api.%s" $ingress.hostname }}
{{- else if (not (empty $service.ports.https)) }}
{{- printf "localhost:%d" ($service.ports.https | int) }}
{{- else  }}
{{- printf "localhost:%d" ($service.ports.http | int) }}
{{- end -}}
{{- end -}}

{{/*
##############################################################################
Dex helpers
##############################################################################
*/}}

{{/*
Return the proper Dex image name
*/}}
{{- define "chainloop.dex.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }}
{{- end -}}

{{/*
Return the proper service name for Dex
*/}}
{{- define "chainloop.dex" -}}
{{- printf "%s-dex" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end -}}

{{/*
Create the name of the service account to use for Dex
*/}}
{{- define "chainloop.dex.serviceAccountName" -}}
{{- if .Values.dex.serviceAccount.create -}}
    {{ default (printf "%s-dex" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }}
{{- else -}}
    {{ default "default" .Values.dex.serviceAccount.name }}
{{- end -}}
{{- end -}}

{{/*
Chainloop Dex release name
*/}}
{{- define "chainloop.dex.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
